4

I saw the link below on a Facebook group and someone commented that it's a phishing link. I checked the domain info and found that its owned by Facebook but I am not sure if that information's trustworthy. So please tell me if it's safe to open it?

The links was:
https://lookaside.fbsbx.com/file/ScheduleforGATE17%20%28modified%29.pdf?token=AWxCUR8U84mktJ0xpKwdqePJLLRT9dabZhYmFbL-GnVvyoVJT_veNLO2swRQOelWDkGEfPw38PLyM-7U6iin-ng9vwB-HX4QPBP-QhouuRhePuobFE6zGc9HFWSlK0-46ratVPHxqBK7DdE_v0jZweE_uI4pbk-n8dDfpKUzP0R71Q

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
John Doe
  • 51
  • 1
  • 1
  • 3
  • 1
    Please don't make potentially malicious links easily clickable but instead just include the link as unclickable text. For now I've fixed this by editing your question. – Steffen Ullrich May 05 '17 at 20:53
  • I'm voting to close this because "tell me what this random link does" is a variant of "analyze this potential malware for me". – Arminius May 05 '17 at 21:14
  • @Arminius: well, [this question](https://security.stackexchange.com/questions/127667/what-should-i-do-about-gmail-ad-asking-me-for-password) wasn't closed whereas it was an overly specific problem. Maybe we should create a general "how to check the owner of a domain" general question? – Benoit Esnard May 05 '17 at 21:43
  • 2
    @BenoitEsnard The problem is that if this is an acceptable question, every "Is this link malicious?" question is. IMO, general questions along the lines of "How do I deal with an unknown link?" or "How do I check the owner of a domain?" would be the way to go here. But IIRC, we already have these somewhere. – Arminius May 05 '17 at 21:51
  • The link seems to be now removed? – Shritam Bhowmick May 06 '17 at 01:31
  • you're asking who to perform a `whois` lookup? – schroeder May 06 '17 at 07:34

2 Answers2

11

There are several techniques to check whether the domain fbsbx.com is owned by Facebook.

WHOIS record

Let's check the WHOIS record for fbsbx.com:

Registry Registrant ID:
Registrant Name Domain Administrator
Registrant Organization Facebook, Inc.
Registrant Street   1601 Willow Road,
Registrant City Menlo Park
Registrant State/Province   CA
Registrant Postal Code  94025
Registrant Country  US
Registrant Phone    +1.6505434800
Registrant Phone Ext:
Registrant Fax  +1.6505434800
Registrant Fax Ext:
Registrant Email    domain@fb.com

fb.com is one of Facebook's domains, and the registrant organization is Facebook, so that looks legit.

DNS record

dig NS fbsbx.com

;ANSWER
fbsbx.com. 52794 IN NS a.ns.facebook.com.
fbsbx.com. 52794 IN NS b.ns.facebook.com.

The nameservers are on the facebook.com domain, which also looks legit.

TLS certificates

https://lookaside.fbsbx.com/ delivers a certificate issued for the following domains:

*.facebook.com
*.facebook.net
*.fb.com
*.fbcdn.net
*.fbsbx.com
*.m.facebook.com
*.messenger.com
*.xx.fbcdn.net
*.xy.fbcdn.net
*.xz.fbcdn.net
facebook.com
fb.com
messenger.com

So whoever owns fbsbx.com also has access to a valid facebook.com certificate.

The domain is legit.

Be warned that the PDF linked in the post may still link to phishing sites.

Benoit Esnard
  • 13,979
  • 7
  • 65
  • 65
  • 1
    Great answer on means of information gathering. But technically, none of the information you gathered *proves* anything about the domain ownership. WHOIS records and DNS entries could just as well be mocked. Also, it doesn't really help the asker conclude if clicking on the link is dangerous. – Arminius May 05 '17 at 22:06
  • 3
    @Arminius the TLS certificate might not prove ownership in an absolute sense, but I'd argue that in practice someone with illicit access to Facebook's PKI would not burn it on a phishing link. – J.A.K. May 06 '17 at 02:48
  • @Arminiusfaking DNS nameservers would require severe bad configuration in Facebook's side - an attacker that would be able to edit Facebook nameservers' zonefile would not also burn that ability on a phishing link. – Benoit Esnard May 06 '17 at 08:26
-1

If in doubt, do not click... I cannot see the content as the link is not valid anymore, but there is no guarantee that a link is safe even though a big company owns the domain. Take Google Docs as an example, anyone may create a public form asking for credentials, and its hosted on Googles domain.

Mr. H
  • 15
  • 2